e6c50c23056adc39a17449b4a46c9a7cf7596e7ba4d35db66d7bb1fb72e692f6

Analysis

max time kernel
1200s
max time network
1174s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sales.xls
Size

164KB
MD5

4688b29cd88b429b3c39ec49be52b13e
SHA1

8f05770a0a825930566dd9b4bbcc38b1688eb33d
SHA256

55f10501c28323d6c73d5786aa4371b3ff83d3229eb031049e4f3be81848794b
SHA512

3eb05fe3bd820ddb8f6feb200119141d6dca87e1e76217160fe954088a52f99db7898f4df231e150b1206917e033735b166bb4e0da9d9fb8ae2c9458674faef8
SSDEEP

3072:c5k3hbdlylKsgqopeJBWhZFGkE+cL2NdA+1O4zgCms8WY5+x/PlM3VL9tCVDboro:0k3hbdlylKsgqopeJBWhZFVE+W2NdA+I

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3856	1504	mshta.exe	23
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4512	1504	mshta.exe	23

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e558474c0e19da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009126194d0e19da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f25d3490e19da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043f8444c0e19da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce72874b0e19da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3e6124c0e19da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8519c490e19da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0f8664a0e19da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f53c2f4b0e19da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006096644a0e19da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1504	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1504	EXCEL.EXE
1848	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	taskmgr.exe
Token: SeSystemProfilePrivilege	1848	taskmgr.exe
Token: SeCreateGlobalPrivilege	1848	taskmgr.exe
Token: 33	1384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1504	EXCEL.EXE
1504	EXCEL.EXE
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3856	1504	EXCEL.EXE	90
PID 1504 wrote to memory of 3856	1504	EXCEL.EXE	90
PID 1504 wrote to memory of 4512	1504	EXCEL.EXE	94
PID 1504 wrote to memory of 4512	1504	EXCEL.EXE	94
PID 1504 wrote to memory of 4512	1504	EXCEL.EXE	94
PID 1384 wrote to memory of 4760	1384	SearchIndexer.exe	124
PID 1384 wrote to memory of 4760	1384	SearchIndexer.exe	124
PID 1384 wrote to memory of 1616	1384	SearchIndexer.exe	125
PID 1384 wrote to memory of 1616	1384	SearchIndexer.exe	125

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Sales.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\System32\mshta.exe
  C:\Windows\System32\mshta.exe -Embedding
  2⤵
  - Process spawned unexpected child process
  PID:3856
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\eR3TyhAs.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Process spawned unexpected child process
  PID:4512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1808

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4760
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\eR3TyhAs.hta

Filesize
672B

MD5
46aeeff07fdc89da3424f191387df735

SHA1
84485a0a8301c7cdeddc315a0f53d52bd500b437

SHA256
8edf64b28d02359c77f26daa6cd0f63c0e45128a717acbe53e80dfd6fbc73f86

SHA512
446850be635e04f7d3959b78a7e605d4950a0ebeadd9fd5be14dc933770460ac4f18799a7501fb77f1ff23546be1e4e6bb846e13341adc407c114a809e9e7b36

Download Submit
memory/1504-107-0x0000023666AA0000-0x00000236672A0000-memory.dmp

Filesize
8.0MB

Download
memory/1504-109-0x0000023666AA0000-0x00000236672A0000-memory.dmp

Filesize
8.0MB

Download
memory/1504-2-0x00007FF9C1F70000-0x00007FF9C1F80000-memory.dmp

Filesize
64KB

Download
memory/1504-4-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-3-0x00007FF9C1F70000-0x00007FF9C1F80000-memory.dmp

Filesize
64KB

Download
memory/1504-5-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-6-0x00007FF9C1F70000-0x00007FF9C1F80000-memory.dmp

Filesize
64KB

Download
memory/1504-7-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-106-0x0000023669960000-0x000002366A930000-memory.dmp

Filesize
15.8MB

Download
memory/1504-9-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-10-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-11-0x00007FF9BF960000-0x00007FF9BF970000-memory.dmp

Filesize
64KB

Download
memory/1504-12-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-13-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-14-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-16-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-15-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-17-0x00007FF9BF960000-0x00007FF9BF970000-memory.dmp

Filesize
64KB

Download
memory/1504-18-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-19-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-20-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-36-0x0000023666AA0000-0x00000236672A0000-memory.dmp

Filesize
8.0MB

Download
memory/1504-59-0x0000023666AA0000-0x00000236672A0000-memory.dmp

Filesize
8.0MB

Download
memory/1504-73-0x0000023669960000-0x000002366A930000-memory.dmp

Filesize
15.8MB

Download
memory/1504-80-0x0000023669960000-0x000002366A930000-memory.dmp

Filesize
15.8MB

Download
memory/1504-108-0x0000023669960000-0x000002366A930000-memory.dmp

Filesize
15.8MB

Download
memory/1504-94-0x0000023666AA0000-0x00000236672A0000-memory.dmp

Filesize
8.0MB

Download
memory/1504-98-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-99-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-100-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1504-0-0x00007FF9C1F70000-0x00007FF9C1F80000-memory.dmp

Filesize
64KB

Download
memory/1504-85-0x0000023666AA0000-0x00000236672A0000-memory.dmp

Filesize
8.0MB

Download
memory/1504-101-0x0000023666AA0000-0x00000236672A0000-memory.dmp

Filesize
8.0MB

Download
memory/1504-105-0x0000023666AA0000-0x00000236672A0000-memory.dmp

Filesize
8.0MB

Download
memory/1504-8-0x00007FF9C1F70000-0x00007FF9C1F80000-memory.dmp

Filesize
64KB

Download
memory/1504-1-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/1616-319-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-337-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-265-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-266-0x0000012CA2D80000-0x0000012CA2D90000-memory.dmp

Filesize
64KB

Download
memory/1616-320-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-272-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-273-0x0000012CA2DA0000-0x0000012CA2DB0000-memory.dmp

Filesize
64KB

Download
memory/1616-277-0x0000012CA2DC0000-0x0000012CA2DD0000-memory.dmp

Filesize
64KB

Download
memory/1616-276-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-279-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-287-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-293-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-294-0x0000012CA3010000-0x0000012CA3020000-memory.dmp

Filesize
64KB

Download
memory/1616-298-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-299-0x0000012CA3010000-0x0000012CA3020000-memory.dmp

Filesize
64KB

Download
memory/1616-308-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-350-0x0000012CA2DA0000-0x0000012CA2DB0000-memory.dmp

Filesize
64KB

Download
memory/1616-348-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-342-0x0000012CA3030000-0x0000012CA3040000-memory.dmp

Filesize
64KB

Download
memory/1616-268-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-321-0x0000012CA3030000-0x0000012CA3040000-memory.dmp

Filesize
64KB

Download
memory/1616-324-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-327-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-328-0x0000012CA3030000-0x0000012CA3040000-memory.dmp

Filesize
64KB

Download
memory/1616-336-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-311-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-339-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-341-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-312-0x0000012CA3010000-0x0000012CA3020000-memory.dmp

Filesize
64KB

Download
memory/1616-345-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/1616-349-0x0000012CA2D70000-0x0000012CA2D80000-memory.dmp

Filesize
64KB

Download
memory/3856-89-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/3856-90-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/3856-91-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/3856-92-0x00007FFA01EF0000-0x00007FFA020E5000-memory.dmp

Filesize
2.0MB

Download
memory/3856-97-0x00007FF7CD700000-0x00007FF7CD708000-memory.dmp

Filesize
32KB

Download